US2026067322A1PendingUtilityA1

Investigation of threats using queryable records of behavior

87
Assignee: ABNORMAL AI INCPriority: Mar 12, 2020Filed: Oct 31, 2025Published: Mar 5, 2026
Est. expiryMar 12, 2040(~13.7 yrs left)· nominal 20-yr term from priority
H04L 63/1425H04L 67/125H04L 63/1433H04L 67/30
87
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method for threat detection may include obtaining data that is related to a series of digital activities performed with accounts on a channel through which employees of an enterprise can communicate with other employees of the enterprise or accounts external to the enterprise. The method may include parsing the data to identify an attribute of each digital activity. The method may include generating one or more metrics indicative of a threat posed by a respective digital activity of the series of digital activities. The method may include generating a plurality of digital profiles for at least some of the employees of the enterprise based on the series of digital activities and comprising the one or more metrics. The method may include generating a graphical user interface indicating a risk category associated with at least some of the digital activities of the series of digital activities.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for threat detection, comprising:
 obtaining data that is related to a series of digital activities performed with accounts on a channel through which employees of an enterprise can communicate with other employees of the enterprise or accounts external to the enterprise;   parsing the data to identify an attribute of each digital activity;   generating, based on the attribute of each digital activity, one or more metrics indicative of a threat posed by a respective digital activity of the series of digital activities;   generating a plurality of digital profiles for at least some of the employees of the enterprise based on the series of digital activities and comprising the one or more metrics, each respective digital profile comprising a historical summary of conduct on the channel associated with each respective employee of the at least some of the employees; and   generating, for display on a user device, a graphical user interface associated with the plurality of digital profiles, the graphical user interface indicating a risk category associated with at least some of the digital activities of the series of digital activities.   
     
     
         2 . The method of  claim 1 , wherein the one or more metrics comprises an index corresponding to a level of risk associated with the threat posed by respective digital activities. 
     
     
         3 . The method of  claim 2 , wherein generating a first digital profile of the plurality of digital profiles comprises:
 determining a plurality of digital activities of the series of digital activities associated with a first employee; and   sorting the plurality of digital activities into a plurality of databases based on respective indexes of the plurality of digital activities.   
     
     
         4 . The method of  claim 1 , wherein the attribute comprises at least one of (i) a reception date, (ii) a transmission date, (iii) a subject, (iv) an identifier of an account, or (v) content of a communication. 
     
     
         5 . The method of  claim 1 , comprising:
 in response to a first interaction with the graphical user interface indicating a first criterion, filtering the plurality of digital profiles such that the graphical user interface displays information corresponding to the first criterion.   
     
     
         6 . The method of  claim 5 , comprising:
 in response to a second interaction with the graphical user interface indicating a second criterion, filtering the information corresponding to the first criterion such that the graphical user interface displays information corresponding to both the first criterion and the second criterion.   
     
     
         7 . The method of  claim 5 , wherein the first criterion comprises a sender name, a sender email address, a recipient name, a recipient email address, a subject, a threat type, a threat level, or a remediation status. 
     
     
         8 . The method of  claim 1 , comprising:
 obtaining a plurality of signals corresponding to a plurality of digital activities of the series of digital activities associated with a respective digital profile of the plurality of digital profiles; and   generating, for each digital profile of the plurality of digital profiles, a metric corresponding a level of risk associated with the respective digital profile based on the plurality of signals.   
     
     
         9 . The method of  claim 8 , wherein the plurality of signals indicate whether a digital activity of the plurality of digital activities is representative of account details being exposed, and wherein the level of risk indicates a probability of account compromise associated with the respective digital profile. 
     
     
         10 . The method of  claim 8 , further comprising:
 determining, based on the metric, a remediation action to address the threat posed by the plurality of digital activities.   
     
     
         11 . A system, comprising:
 one or more memory devices configured to store instructions thereon that, when executed by one or more processors, cause the one or more processors to:
 obtain data that is related to a series of email communications performed with accounts on a channel through which users associated with an enterprise can communicate with other users associated with the enterprise or accounts external to the enterprise; 
 parse the data to identify an attribute of each email communication; 
 generate, based on the attribute of each email communication, one or more metrics indicative of a threat posed by a respective email communication of the series of email communications; 
 generate a plurality of digital profiles for at least a portion of the users associated with the enterprise based on the series of email communications and comprising the one or more metrics, each respective digital profile comprising a historical summary of conduct on the channel associated with each respective user of the at least the portion of the users associated with the enterprise; and 
 generate, for display on a user device, a graphical user interface associated with the plurality of digital profiles, the graphical user interface indicating a risk category associated with at least some of the email communications of the series of email communications. 
   
     
     
         12 . The system of  claim 11 , wherein the one or more metrics comprises an index corresponding to a level of risk associated with the threat posed by respective email communications. 
     
     
         13 . The system of  claim 12 , wherein the instructions, when executed, cause the one or more processors to generate a first digital profile of the plurality of digital profiles by:
 determining a plurality of email communications of the series of email communications associated with a first user; and   sorting the plurality of email communications into a plurality of databases based on respective indexes of the plurality of email communications.   
     
     
         14 . The system of  claim 11 , wherein the risk category is associated with phishing, authentication, or security. 
     
     
         15 . The system of  claim 11 , wherein in response to a first interaction with the graphical user interface indicating a first criterion, the instructions, when executed, cause the one or more processors to:
 apply a filter to the plurality of digital profiles such that the graphical user interface displays information corresponding to the first criterion.   
     
     
         16 . The system of  claim 15 , wherein in response to a second interaction with the graphical user interface indicating a second criterion, the instructions, when executed, cause the one or more processors to:
 apply a second filter to the information corresponding to the first criterion such that the graphical user interface displays information corresponding to both the first criterion and the second criterion.   
     
     
         17 . The system of  claim 15 , wherein the first criterion comprises a sender name, a sender email address, a recipient name, a recipient email address, a subject, a threat type, a threat level, or a remediation status. 
     
     
         18 . The system of  claim 11 , wherein the instructions cause the one or more processors to:
 obtain a plurality of signals corresponding to a plurality of email communications of the series of email communications associated with a respective digital profile of the plurality of digital profiles; and   generate, for each digital profile of the plurality of digital profiles, a metric corresponding a level of risk associated with the respective digital profile based on the plurality of signals.   
     
     
         19 . The system of  claim 18 , wherein the plurality of signals indicate whether an email communication of the plurality of email communications is representative of account compromise, and wherein the level of risk indicates a probability of account compromise associated with the respective digital profile. 
     
     
         20 . One or more non-transitory computer readable media storing instructions thereon that, when executed by one or more processors, causes the one or more processors to perform operations comprising:
 obtaining data that is related to a series of digital activities performed with accounts on a channel through which employees of an enterprise can communicate with other employees of the enterprise or accounts external to the enterprise;   parsing the data to identify an attribute of each digital activity;   generating, based on the attribute of each digital activity, one or more metrics indicative of a threat posed by a respective digital activity of the series of digital activities;   generating a plurality of digital profiles for at least some of the employees of the enterprise based on the series of digital activities and comprising one or more metrics, each respective digital profile comprising a historical summary of conduct on the channel associated with each respective employee of the at least some of the employees; and   generating, for display on a user device, a graphical user interface associated with the plurality of digital profiles, the graphical user interface indicating a risk category associated with at least some of the digital activities of the series of digital activities.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.